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CCNA Security Lab 4 - Authentication and Authorization - CLI 

Lab 4 

Authentication and Authorization 
Lab Objective: 

The objective of this lab exercise is for you to learn and understand how 
configure Authentication and Authorization in Cisco IOS software. 

Lab Purpose: 

Authentication and Authorization are two ofthe three components of AAA 
services. These two components secure access to Cisco IOS routers and dictate 
who can access these devices and what they can do on these devices. 

Lab Difficulty: 

This lab has a difficulty rating of 6/10. 

Readiness Assessment: 

When you are ready for your certification exam, you should complete this lab in 
no more than 10 minutes. 

Lab Topology: 

Please use the following topology to complete this lab exercise: 



172.16.1.254/24 

Lab 4 Configuration Tasks 
Task 1: 

Configure the hostname on R1 and IP addressing as illustrated in the diagram. In 
addition, configure Host 1 with the IP address specified and a default gateway 
of 172.16.1.1. 

NOTE: 

If you do not have a Host in your lab, you can simply substitute Host 1 for another router with an Ethernet 
interface and a default static route pointing to 172.16.1.1. 

Task 2: 

Configure Authentication as follows on Rl: 

Users should first attempt to be authenticated against TACACS+ server 172.16.1.192 
If the TACACS+ server is unavailable, users should be authenticated locally 
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The Authentication username prompt should read: "Please Enter The Correct Username:" 

The Authentication password prompt should read: "Please Enter The Correct Password:" 

The TACACS+ server should use the password securetacacs+ for security 

Task 3: 

Configure Authorization as follows on Rl: 

Users should be allowed to execute EXEC commands once successfully authenticated 
Network connections to Rl should be authenticated via TACACS+ 

Authorization should NOT be used for configuration commands 

Task 4: 

Configure user ccna with a password of security on Rl. In addition to this, configure an enable secret of aaasecret 
on Rl. Finally, configure Rl so that AAA is used for Telnet/SSFI connections. 

Task 5: 

Verify that your Authentication and Authorization configuration works as expected using the appropriate debugging 
commands while you Telnet from Flost 1 to Rl. 


Lab 4 Configuration and Verification 
Task 1: 

Router(config)#hostname Rl 
Rl(config)#int f0/0 

Rl(config-if)#ip address 172.16.1.1 255.255.255.0 

Rl(config-if)#no shutdown 

Rl(config-if)#exit 

Rl(config)#exit 

Rl# 


C:\>ipconfig 

Windows IP Configuration 


c' Command Prompt 


Ethernet adapter Local Area Connection 2 ‘ 


Connection-specific DNS Suffix 
IP Address. .......... 

Subnet Mask ... 

n.-r ... 11 _n..t _ 


BEE 


: 172.16.1.254 
: 255.255.255.0 

- 1 *79 1 A 1 1_ 









Ethernet adapter Wireless Network Connection: 

Media State ... . ...: Media disconnected 

C:\>„ 


Task 2: 

Rl(config)#aaa new-model 

Rl(config)#aaa authentication login default group tacacs+ local enable 
Rl(config)#aaa authentication username-prompt "Please Enter The Correct Username:" 
Rl(config)#aaa authentication password-prompt "Please Enter The Correct Password:" 
Rl(config)#tacacs-server host 172.16.1.192 key securetacacs+ 

Task 3: 

Rl(config)#aaa authorization exec default if-authenticated 
Rl(config)#aaa authorization network default group tacacs+ 

Rl(config)#no aaa authorization config-commands 
Task 4: 

Rl(config)#username ccna secret security 
Rl(config)#enable secret aaasecret 

Rl(config)#line vty 0 4 

Rl(config-line)#login authentication default 

Rl(config-line)#exit 

Rl(config)#exit 

Rl# 

Task 5: 


cT Telnet 172.16.1.1 BED 


User Access Uerification 

Please Enter The Correct Username:ccna 
Please Enter The Correct Password: 

Rl>enable 

Please Enter The Correct Password: 

Rl tt 

Rl Its how run int f0/0 
Building configuration... 

Current configuration : 95 bytes 

• 

interface FastEthernet0/0 
ip address 172.16.1.1 255.255.255.0 
duplex auto 

_ 










jj 

Rl#debug aaa authentication 

AAA Authentication debugging is on 
Rl# 

Rl#debug aaa authorization 

AAA Authorization debugging is on 
Rl# 

Rl#debug tacacs authentication 

TACACS+authentication debugging is on 
Rl# 

Rl#show debugging 

General OS: 

TACACS+ authentication debugging is on 
AAA Authentication debugging is on 
AAA Authorization debugging is on 
Rl# 

Rl# 

*Mar 1 01:33:11.428: AAA/BIND(00000006): Bind i/f 

*Mar 1 01:33:11.428: AAA/AUTHEN/LOGIN (00000006): Pick method list ’default' 

*Mar 1 01:33:11.432: TPLUS: Queuing AAA Authentication request 6 for processing 

*Mar 1 01:33:11.432: TPLUS: processing authentication start request id 6 

*Mar 1 01:33:11.436: TPLUS: Authentication start packet created for 6() 

*Mar 1 01:33:11.436: TPLUS: Using server 172.16.1.192 

*Mar 1 01:33:11.440: TPLUS(00000006)/0/NB_WAIT/83C593B4: Started 5 sec timeout 
*Mar 1 01:33:16.440: TPLUS(00000006)/0/NB_WAIT/83C593B4: timed out 
*Mar 1 01:33:16.440: TPLUS(00000006)/0/NB_WAIT/83C593B4: timed out, clean up 
*Mar 1 01:33:16.440: TPLUS(00000006)/0/83C593B4: Processing the reply packet 

*Mar 1 01:33:23.471: AAA/AUTHOR (00000006): Method=If-authen for method list id=00000000Skip 
author 

*Mar 1 01:33:25.298: AAA: parse name=tty66 idb type=-l tty=-l 

*Mar 1 01:33:25.302: AAA: name=tty66 fiags=0xll type=5 shelf=0 slot=0 adapter=0 port=66 channel=0 

*Mar 1 01:33:25.302: AAA/MEMORY: create_user (0x83FE0350) user='ccna' ruser='NULL' ds0=0 
port= , tty66' rem_addr='172.16.1.254' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= 
(id=0) 

*Mar 1 01:33:25.302: AAA/AUTHEN/START (103502052): port='tty66’ !ist=" action=LOGIN service=ENABLE 
*Mar 1 01:33:25.302: AAA/AUTHEN/START (103502052): non-console enable - default to enable password 
*Mar 1 01:33:25.302: AAA/AUTHEN/START (103502052): Method=ENABLE 


end 
Rl tt 




*Mar 1 01:33:25.302: AAA/AUTHEN(103502052): Status=GETPASS 

*Mar 1 01:33:29.000: AAA/AUTHEN/CONT (103502052): continueJogin (user='(undef)') 

*Mar 1 01:33:29.000: AAA/AUTHEN(103502052): Status=GETPASS 
*Mar 1 01:33:29.000: AAA/AUTHEN/CONT (103502052): Method=ENABLE 
*Mar 1 01:33:29.032: AAA/AUTHEN(103502052): Status=PASS 

*Mar 1 01:33:29.032: AAA/MEMORY: free_user (0x83FE0350) user='NULL' ruser=’NULL' port='tty66' 
rem_addr='172.16.1.254' authen_type=ASCII service=ENABLE priv=15 vrf= (id =0) 

Lab 4 Configurations 
R1 Configuration 

Rl#show run 
Building configuration... 

Current configuration : 1145 bytes 
! 

version 12.4 

service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 

hostname R1 
! 

boot-sta rt-ma rke r 
boot-end-ma rker 
! 

enable secret 5 $l$y8wu$AFbDAxFJykgN55jMYOICoO 
! 

aaa new-model 
! 

! 

aaa authentication password-prompt "Please EnterThe Correct Password:" 
aaa authentication username-prompt "Please EnterThe Correct Username:" 
aaa authentication login default group tacacs+ local enable 
aaa authorization exec default if-authenticated 
aaa authorization network default group tacacs + 

! 

! 

aaa session-id common 
no network-clock-participate slot 1 



no network-clock-participate wicO 
ip cef 
! 

! 

! 

! 

! 

multilink bundle-name authenticated 
! 

! 

! 

! 

! 

username ccna secret 5 $l$Fzrf$K2Ek3GaOj49kbylSrbjJhl 
archive 
log config 
hidekeys 

! 

! 

! 

! 

! 

! 

! 

interface FastEthernetO/O 
ip address 172.16.1.1 255.255.255.0 
duplex auto 
speed auto 
! 

interface Serial0/0 
no ip address 
! 

ip forward-protocol nd 
! 

! 


ip http server 

no ip http secure-server 



tacacs-server host 172.16.1.192 key securetacacs + 


! 

control-plane 

! 

! 

! 

line con 0 
line aux 0 
line vty 0 4 
! 

! 

end 
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